KPMG Survey Confirms Increase in HIPAA Data Breaches in the Past 2 Years

KPMG has published the findings of its recent Cyber Healthcare & Life Sciences Survey. The survey was conducted on 100 individuals with responsibility for information security at healthcare providers and payers with annual revenues in excess of $500 million.

The survey, which was last conduced in 2015, shows that over the past two years there has been a 10-percentage point increase in HIPAA data breaches. This year, 47% of healthcare providers and health insurers said they had experienced at least one HIPAA data breach in the past two years.

While HIPAA data breaches have increased, readiness to deal with breaches has improved. In 2015, 16% of respondents said they were completely ready to deal with a HIPAA data breach. This year, 35% of respondents said they were completely ready. While this is a significant improvement, 65% of healthcare organizations are still not ready to deal with HIPAA data breaches even though the frequency of cyberattacks and insider incidents has significantly increased over the past two years.

2016 was a record year for healthcare data breaches, with more incidents reported to the HHS’ Office for Civil Rights than any other year since details of data breaches started being made public. Dion Sheidy, Healthcare Advisory Leader at KPMG, said healthcare organizations that do not fully appreciate the seriousness of cybersecurity risks are on ‘treacherous ground.’

If healthcare organizations are to improve their defenses against cyberattacks and insider incidents, the C-Suite must take an active interest in improving defenses and not leave cybersecurity to their IT departments. Yet, over the past two years, there has been a decrease in healthcare organizations that view cybersecurity as an issue for the board. In 2015, 87% of respondents said cybersecurity was a board matter. In 2016 the figure had dropped to 79%.

The survey also revealed there has been a decrease in investment in cybersecurity defenses. Investment in information protection in the past 12 months was only reported by 66% of respondents, whereas in 2015, 88% of respondents said they had invested in that area in the past year.

Investment in technology to improve cybersecurity defenses is a priority for 76% of respondents, who will be purchasing new technology in the next 12 months. 83% are investing time and resources updating policies and processes on data access, and 41% said they will be investing in hiring and training staff.

Two years ago, ransomware was not a major issue. That has now changed. In the past 12 months, 32% of respondents said ransomware had found its way into their systems. This does not tie in with the reports provided to the Office for Civil Rights. Many healthcare organizations are choosing not to report ransomware incidents, even though OCR has issued guidance confirming ransomware is usually a HIPAA breach.

Out of the respondents that said they had experienced a ransomware attack, 41% said they paid the ransom to regain access to their data. Only 19% said they are working with law enforcement and are pursuing criminal actions.

When asked about the biggest cybersecurity threats and vulnerabilities, 63% believed the biggest vulnerability was data sharing with third parties. Internet-enabled devices also ranked highly. Device manufacturers, biotech firms and pharma companies said the biggest threat was state-sponsored hackers. Individual hackers were rated as a major threat by 49% of respondents, with hacktivists rated as the top threat by 47% of respondents.

The main targets for hackers were believed to be financial information (69%), followed by patient/clinical research (63%), competitive market analyses (49%), the PII of employees (45%), and patient data (30%).